Problem 

After upgrading to SAML Single Sign-On version 6.x a user receives an error on the application side after authenticating with the Identity Provider.

The application logs show the following message.

/plugins/servlet/samlsso [c.o.saml2.authn.SamlResponse] <Audience URI> is not a valid audience for this Response
BASH

This error means that the Audience in the SAML response sent by the Identity Provider does not match with the Entity-ID configured in the plugin. By default, the Entity-ID of the service provider in the plugin configuration is <Base-URL>/plugins/servlet/samlsso but this is configurable in the Service Provider configuration tab.

The plugin will only accept the SAML response when the Audience matches the Entity-ID. 

Solution

In order to fix this problem, you need to correct your configuration on the Identity Provider side. In most Identity Providers the field where you define the Audience is called Identifier (Entity ID) or Audience URI (SP Entity ID).


Background 

What is the Audience Restriction?

Audience Restriction defines a value within the SAML assertion that specifies who (and only who) the assertion is intended for.  The "audience" will be the service provider and is typically a URL but can technically be formatted as any string of data.


Why did this problem not come up in earlier versions of the plugin?

Prior to version 6, our plugin did not check the Audience that is sent in the SAML response. Since version 6, we use other SAML libraries that better implement the SAML standard, and this Audience URI is now checked.


How can I check what Audience is sent by the IdP?

The <Audience URI> in the error message tells you what has been configured on the Identity Provider side. 


Where can I find the expected Audience value in the SAML plugin?

In our SAML Single Sign-On plugin configuration, you find the "Show IdP Information" button at the top right side. Here you need to look for the Entity-ID which is by default <Base-URL>/plugins/servlet/samlsso.